iPhone user privacy at risk from apps that transmit personal info

The user data collected by some iOS apps can be correlated to real-world identities, posing a privacy risk to iPhone, iPod touch, and iPad users. According to research from Bucknell University, a majority of iOS apps transmit user data back to their own servers. But because some store more info than others—and in some cases, in plaintext—it can be easily pieced together to reveal more about individual users than they bargained for.

Bucknell University Assistant Director of Information Security and Networking Eric Smith authored the paper, entitled "iPhone Applications & Privacy Issues: An Analysis of Application Transmission of iPhone Unique Device Identifiers (UDIDs)." He and his team studied a total of 57 applications from the App Store—a combination of the Top 25 Free apps as well as some from the News: Top Free app sections. Sixty-eight percent of those applications transmitted the device's UDID back to the app's servers, though "several instances" were encrypted via SSL.

This in itself isn't much cause for alarm—it's likely that your own UDID has been bandied about a few times online already. However, Smith warned that many of the apps that collected UDID data also requested user credentials, and that personally identifiable information was often affiliated with their accounts. Apps that did so included ones from Amazon, Chase Bank, Target, and Sam's Club.

"For example, Amazon’s application communicates the logged-in user’s real name in plain text, along with the UDID, permitting both Amazon.com and network eavesdroppers to easily match a phone’s UDID with the name of the phone’s owner. The CBS News application transmits both the UDID and the iPhone device’s user-assigned name, which frequently contains the owner’s real name," notes the report.

"While some iPhone owners may purposefully want some trusted vendors to have access to their addresses, phone numbers, credit cards, and real names, they should be alarmed at the prospect of these same companies sharing their personal information with others. Is there any reason why the developer of a video game should know your home address?"

Smith says that with this data, combined with "extremely long-lived" tracking cookies that don't expire for years, companies could track a user's Internet surfing habits for far longer than necessary. (ABC's app sets a cookie with a 20-year lifetime, for example.) It could even allow developers to track a user across multiple devices when the user upgrades to a new phone and begins using those login credentials with a new UDID. And, as we know by now, it's not always so easy to get rid of persistent user tracking cookies as we'd like to think.

"Privacy and security advocates, personal iPhone owners, and corporate iPhone administrators should be concerned that it would be feasible—and technically, quite simple—for their browsing patterns, app usage, and physical location [to be] collected and sold to unintended customers such as advertisers, spouses, divorce lawyers, debt collectors, or industrial spies," wrote Smith.